CVE-2016-10087

The png_set_text_2 function in libpng 0.71 before 1.0.67, 1.2.x before1.2.57, 1.4.x before 1.4.20, 1.5.x before 1.5.28, and 1.6.x before 1.6.27allows context-dependent attackers to cause a NULL pointer dereferencevectors involving loading a text chunk into a png structure, removing thetext, and then adding another text chunk to the structure.

ratliff> "has existed in libpng since version 0.71 of June 26, 1995" chrisccoulson> Looks like this code is #ifdef'd out of Firefox and Thunderbirdhidden because it's behind a PNG_TEXT_SUPPORTED define, which isn't enabled